Razmik Ghanaghounian wrote:
Privet Sergey..
i put trusted users 'cyrus' in submit.cf and it did'nt help.. here is
the cut from my submit.cf
#####################
# Trusted users #
#####################
# this is equivalent to setting class "t"
#Ft/etc/mail/trusted-users
Troot
Tdaemon
Tuucp
Tcyrus
and Nikola... the permissions on sendmail binary is
r-xr-sr-x r root smmsp
so yes, it is setGid smmsp
anyways setting g+w on /var/spool/clientmqueue and making cyrus member
of smmsp does the trick but i know it is'nt the right way.
The SECURITY file of the Sendmail distribution explains this to some
length, but I'll just give you the gist.
Older versions of Sendmail had the binary set to "rwsr-xr-x", with
SetUID=root. This allowed any user on the system to use sendmail to send
mail to another local user (sendmail had to be root in order to invoke
/bin/mail as root, which delivered to /var/spool/mail/*). Newer versions
have actually 2 daemons using the same binary. Three system accounts are
in play here, "root", "smmta" and "smmsp". MTA daemon runs as "root" and
drops to "smmta" when it handles a connection. MTA-queue scans
/var/spool/clientmqueue and if it sees a mail in it, delivers it as
"root". Sendmail binary is SetGID to "smmsp" and any user running it
will run it with that group ID, allowing any user on the system to
submit messages to /var/spool/clientmqueue, in case MSP cannot contact
MTA directly (over the socket).
So, to summarize, "cyrus" shouldn't be a member of "smmsp" group, but
rwxrwx--- on /var/spool/clientmqueue is a must.
Nix.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
